Cisco ASA 5505 User Manual
Page 952
46-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 46 Configuring Inspection for Management Application Protocols
GTP Inspection
This command must be used to enable IMSI Prefix filtering. You can configure multiple instances
to specify permitted MCC and MNC combinations. By default, the ASA does not check the validity
of MNC and MCC combinations, so you must verify the validity of the combinations configured. To
find more information about MCC and MNC codes, see the ITU E.212 recommendation,
Identification Plan for Land Mobile Stations.
b.
To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, enter the
following command:
hostname(config-pmap-p)# permit errors
By default, all invalid packets or packets that failed, during parsing, are dropped.
c.
To enable support for GSN pooling, use the permit response command.
If the ASA performs GTP inspection, by default the ASA drops GTP responses from GSNs that were
not specified in the GTP request. This situation occurs when you use load-balancing among a pool
of GSNs to provide efficiency and scalability of GPRS.
You can enable support for GSN pooling by using the permit response command. This command
configures the ASA to allow responses from any of a designated set of GSNs, regardless of the GSN
to which a GTP request was sent. You identify the pool of load-balancing GSNs as a network object.
Likewise, you identify the SGSN as a network object. If the GSN responding belongs to the same
object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that
the responding GSN is permitted to send a GTP response to, the ASA permits the response.
d.
To create an object to represent the pool of load-balancing GSNs, perform the following steps:
Use the object-group command to define a new network object group representing the pool of
load-balancing GSNs.
hostname(config)# object-group network GSN-pool-name
hostname(config-network)#
For example, the following command creates an object group named gsnpool32:
hostname(config)# object-group network gsnpool32
hostname(config-network)#
e.
Use the network-object command to specify the load-balancing GSNs. You can do so with one
network-object command per GSN, using the host keyword. You can also using network-object
command to identify whole networks containing GSNs that perform load balancing.
hostname(config-network)# network-object host IP-address
For example, the following commands create three network objects representing individual hosts:
hostname(config-network)# network-object host 192.168.100.1
hostname(config-network)# network-object host 192.168.100.2
hostname(config-network)# network-object host 192.168.100.3
hostname(config-network)#
f.
To create an object to represent the SGSN that the load-balancing GSNs are permitted to respond to,
perform the following steps:
a.
Use the object-group command to define a new network object group that will represent the
SGSN that sends GTP requests to the GSN pool.
hostname(config)# object-group network SGSN-name
hostname(config-network)#
For example, the following command creates an object group named sgsn32:
hostname(config)# object-group network sgsn32